Monday, November 01, 2010

One Time Password (OTP) is a password that is valid for only one login session. It is a popular authentication mechanism in India. It is essentially in use with Banking and Stock Broking Apps to do a two-factor authentication. SMSes on your registered mobile phone is been predominantly used as a medium to accomplish this second factor of authentication.

Recently, Facebook announced to users that they now have the option of texting "otp" to 32665 from any U.S. mobile phone to receive an OTP via SMS that is good for 20 minutes of log-in time to their Facebook account.

Nice to see Facebook working on the security front for once rather than endless feature updates. It has had its fair share of security woes so it’s nice to see they are doing something which I think may be genuinely useful for it’s burgeoning user base.

In India, a lot of banks use a similar way called Transaction Authorization Code. A OTP when you want to carry out a transaction which involves moving money out from your account (bill payment, fund transfers etc).

This method can provide security but it will not eliminate hackers from getting access to Facebook account. Using non secured network without encryption and other security measures will get the situation back to square one.

It would be also nice if you had security like GMail account security feature, which provides the information if there is a connection opened on my account from another location and monitor all latest ip’s logged into the session.

About Me

He is involved in Application Security Consulting and establishing App Security across SDLC. He also conducts security workshops for the developer community. Besides interest in App Security, he likes Performance Testing and tuning of web applications.